Talos Vulnerability Report

TALOS-2016-0168

August 26, 2016

CVE Number

CVE-2016-4306

Summary

Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out of bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user mode to trigger this vulnerability.

Because of used transfer type : METHOD_BUFFERED for in/out buffer and wrongly set value of output buffer len to IoStatus.Information
it leads to leak of kernel memory to userland.

Tested Versions

Kaspersky Total Security 16.0.0.614

Product URLs

http://www.kaspersky.com/

Details

This vulnerability can be triggered by sending IOCTL requests to the KlDiskCtl device. Here we show the default access control on the device allow any user on the system to send IOCTL requests:

In Line 7 we see that OutputBufferLength is set to 0x14 but in Line 18 again assigned a value from parameters passed by user.
Line 20 makes a call to a function to which OutputBufferLength is passed as parameter and set by the underlying function based upon the return buffer size. The vulnerability appears when the condition on line 36 is not met. In this case, the function won't assign outBuffLen on line 49.
Since the value is not replaced in the underlying function, on line 22 to IoStatus.Information field which indicates how many bytes is returned in output buffer to user mode is set based on fully controllable user input resulting in arbitrary amount of memory leaked from kernel to userspace.